Patreon Support (holly)We have 61 patreons:
https://www.patreon.com/ortussolutions.
News and Announcements
Tomcat VulnerabilityTime-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
https://www.cve.org/CVERecord?id=CVE-2024-56337 How to resolve with Lucee:
https://dev.lucee.org/t/cvs-exploit-of-tomcat-9-10-11/14590 End of 2024 - what did it bring it
What is 2025 bringing?
New Releases and Updates
Adobe Security Updates released December 23rd, 2024 - ColdFusion 2023 Update 12 and 2021 Update 18We have released critical security updates for ColdFusion (2023 release) and ColdFusion (2021 release).
Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read.
View the security bulletin, APSB24-107, and the tech notes for more information.
https://coldfusion.adobe.com/2024/12/released-coldfusion-2023-and-2021-december-23rd-2024-security-updates/An Initial Analysis of Adobe ColdFusion CVE-2024-53961 - from Hoyahaxa
Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval. Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.
https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html Blog from Charlie on the updates:
https://www.carehart.org/blog/2024/12/23/ColdFusion_updates_released_Dec_23_2024 Webinars, Meetups and Workshops
ICYMI - Sac Interactive Meetup: All I Want for Christmas is AI with Luke KilpatrickWed, Dec 18 · 6:00 PM PST
https://www.meetup.com/sacinteractive/events/303708503/?eventOrigin=home_page_upcoming_events$all Sac Interactive Meetup: January with Kai Koenig
CFCasts Content Updates
https://www.cfcasts.comMerry Xmas - All of the Into the Box 2024 videos are now available for paid subscriptions
https://www.cfcasts.com/series/into-the-box-2024 Conferences and Training
ITB 2025 CFCamp 2025May 22, 23rd - 2025
Atomis Hotel Munich Airport
https://www.cfcamp.org/ Call for Speakers open -
https://www.papercall.io/cfcamp2025 Closes February 28, 2025 ( 4am PST )
More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.
https://confs.tech/
Blogs, Posts, and Videos of the Week
12/29/24 - Blog - Ben Nadel - My Internal InVision Feature Demo VideosAlthough InVision is shutting its doors, it's been an amazing journey; and, I've done a lot of work that I'm incredibly proud of. In particular, I feel great about the way in which I embraced experimentation with both arms; and, that I tried throwing as many features against the wall to see which would stick. Some of my experiments ended up being a "nothing burger". But, some of them went on to become highly valuable parts of the application and the user experience (UX). The whole process made me somewhat fearless in the face of opposition; and, taught me to love my failures just as much as my successes.
https://www.bennadel.com/blog/4746-my-internal-invision-feature-demo-videos.htm
12/27/24 - Blog - Brad Wood - BoxLang's QoQ Is Here, And It's 5x Faster Than Lucee, 17x Faster Than Adobe!As BoxLang (our new CF-compatible JVM language) nears its final release, we're very pleased to announce that Query of Query support is ready for testing! QoQ often times draws a variety of reactions from people, but it's a really nice feature to run any SQL select you want against 1 or more in-memory queries for the purpose of filtering, aggregating, or joining. One of the biggest complaints is performance, which is why I've performed 2 rounds of performance enhancements to Lucee's QoQ support in the past which I have detailed here and here.
https://www.codersrevolution.com/blog/boxlangs-qoq-is-here-and-its-5x-faster-than-lucee-17x-faster-than-adobe 12/26/24 - Blog - Ryan Brown - XByte Cloud - Top 9 Tips for Migrating Adobe ColdFusion to the CloudMigrating an Adobe ColdFusion website or application to the cloud can open the door to improved scalability, performance, and cost-efficiency. However, the process of migrating a ColdFusion application introduces unique challenges due to its reliance on specific configurations, libraries, and server setups. Whether you are migrating from a traditional on-premises environment, a VPS, or another cloud provider, it’s crucial to understand potential roadblocks and how to address them.
In this blog, we’ll focus on the common issues you might encounter during the migration of a ColdFusion application and highlight things to look out for to ensure a seamless transition. With the right planning and attention to detail, you can take full advantage of the benefits of the cloud while maintaining the reliability and functionality of your ColdFusion application.
https://coldfusion.adobe.com/2024/12/top-9-tips-for-migrating-adobe-coldfusion-to-the-cloud/12/26/24 - Blog - Ben Nadel - Considering The Aesthetics And Ergonomics Of Post-Back URLs In ColdFusionOver the years, I've come to believe deeply in the supremacy of the URL. That is, when navigating around a web application, I believe that the vast majority of views should be accessible by URL in order to facilitate deep-linking to anywhere within the app (either in a Single-Page Application context or in a Multi-Page Application context). But, as strongly as I feel about this, I've never quite reconciled it with the way in which I manage my post-back URLs in ColdFusion. As such, I wanted to briefly consider both the aesthetics and ergonomics of post-back URLs.
https://www.bennadel.com/blog/4745-considering-the-aesthetics-and-ergonomics-of-post-back-urls-in-coldfusion.htm 12/23/24 - Blog - Brian with HoyaHaxa - An Initial Analysis of Adobe ColdFusion CVE-2024-53961Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval. Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.
https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html 12/23/24 - Blog - Charlie Arehart - Announcing ColdFusion updates released Dec 23 2024: p1 security updateAn update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).
In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.
https://www.carehart.org/blog/2024/12/23/ColdFusion_updates_released_Dec_23_2024
12/23/24 - Blog - Ortus Solutions - Partner with BoxLang and Ortus at Into the Box 2025: Empowering the Future of Modern Software Development!Partner with Us at Into the Box 2025!
At Ortus Solutions, we’ve always been at the forefront of innovation in the ColdFusion ecosystem. From pioneering modern ColdFusion practices to developing cutting-edge tools and frameworks, we’ve been passionate to help and sup[port the community into shaping the future of web development.That’s why we decided to build BoxLang, our new JVM programming language that not only builds on the strengths of ColdFusion but takes modern software development to the next level.
As we continue to innovate, we invite companies and organizations to join us at Into the Box 2025—the premier event for modern CFML software development and the perfect place to showcase the future of coding, tools, and technologies like BoxLang.
https://www.ortussolutions.com/blog/partner-with-boxlang-and-ortus-at-into-the-box-2025-empowering-the-future-of-modern-software-development 12/22/24 - Blog - Greg Alexander - Things that I Wish I Had Known Before Setting Up a Smart Home - A Smart Home PrimerBuilding a smart home has many benefits. There are many convenience and safety features that a smart home makes possible. A smart home opens up many opportunities- while sleeping, you can turn on the overhead fan without getting up with your voice, set a smart door to lock automatically at a certain time, open or close your garage door while you're away, automate comfort settings and lights when you come home from work, set the ambiance when you turn on the TV, etc. A smart home is incredible; however, building one can be difficult, and the costs can quickly add up if not done correctly.
https://www.gregoryalexander.com/blog/2024/12/22/things-that-i-wish-i-had-known-before-setting-up-a-smart-home--a-smart-home-primer 12/19/24 - Blog - Ortus Solutions - Ortus Solutions & BoxLang at Jfokus 2025: Silver Sponsor and InnovatorWe’re thrilled to announce that Ortus Solutions, through BoxLang, will be participating as a Silver Sponsor at the prestigious Jfokus 2025 conference! Taking place in Stockholm, Sweden, from February 3 to 5, Jfokus is one of the premier developer conferences in Europe, bringing together thousands of tech enthusiasts, thought leaders, and industry professionals.
https://www.ortussolutions.com/blog/ortus-solutions-boxlang-at-jfokus-2025-silver-sponsor-and-innovator
12/18/24 - Video Blog - Ben Nadel and Ryan Brown – Cryptography with Justin ScottIn this episode, your hosts Ben Nadel and Ryan Brown are joined by long time Adobe ColdFusion developer and security expert, Justin Scott, to discuss his recent presentation at the Adobe ColdFusion Summit.
Who is Justin Scott
• CISO with Smart Communications
• (ISC)² Certified
• Long time ColdFusion developer
https://coldfusion.adobe.com/2024/12/ben-ryan-show-cryptography-with-justin-scott/
12/18/24 - Blog - Ortus Solutions - ColdBox Free Tip 6 - Using Routing with Wildcard Domains!ColdBox gives you the flexibility to create domain-specific routes, making it perfect for multi-tenant applications or projects that need to respond differently based on the domain or subdomain being accessed. In this tip, we’ll dive into how to use the withDomain() method to create routes that match specific domains or sub-domains.
https://www.ortussolutions.com/blog/coldbox-free-tip-6-using-routing-with-wildcard-domains BoxLang Corner
12/18/24 - Blog - Luis Majano - Ortus Solutions - Why BoxLang When You Have Kotlin, Groovy, Scala, and more…As we approach a stable release of BoxLang and our continued marketing reaches more folks, many have asked about its purpose. Why create a new language when the JVM ecosystem already includes established languages like Kotlin, Groovy, and Scala, to name a few.
I believe these are great and relevant questions. We had several motivations that ultimately made us create BoxLang. The decision to do this has spanned over six years of research, contemplation, and prayer; so it has not been rash or spur-of-the-moment. It has been a calculated decision, culminating in over 18 years of creating frameworks and libraries for the ColdFusion/CFML and Java communities. It has definitely not been an easy decision to embark on this journey at all. We knew from the start that this would be a gargantuan task and that we could fail at any time. However, we knew that if we did it, that we would go all in, no reservations, no retreats and no regrets. The rewards would come.
With that said, let's examine these questions by looking at the three languages mentioned above. I'll focus on those for now, rather than discussing ColdFusion/CFML, since we've already covered our reasons for not pursuing either commercial or open-source vendors elsewhere.
https://www.ortussolutions.com/blog/why-boxlang-when-you-have-kotlin-groovy-scala-and-more CFML JobsSeveral positions available on
https://www.getcfmljobs.com/Listing over 23 ColdFusion positions from 22 companies across 16 locations in 5 Countries.
1 new jobs listed
Full-Time - Senior Software Engineer (ColdFusion)- Remote at Fort Washin.. - United States
Posted Dec 25
https://www.getcfmljobs.com/jobs/index.cfm/united-states/SrCFDeveloper-at-FortWashington-PA/11651 ForgeBox Module of the Week
Coldbox Kutt SDK moduleKutt is a modern URL shortener with support for custom domains. Shorten URLs, manage your links and view the click rate statistics.
This module provides a simple SDK for creating and managing Tiny URLs using the open-source Kutt application, which you could host on your own servers.
https://www.forgebox.io/view/kutt-sdk
VS Code Hint, Tip, and Trick of the Week
Demo TimeScript your coding demos to perfection with this VS Code extension – no typos, no missteps, just flawless, stress-free presentations every time. Execute each demo step seamlessly, just like advancing through a presentation!
https://marketplace.visualstudio.com/items?itemName=eliostruyf.vscode-demo-time
Thank you to all of our Patreon Supporters (holly)These individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox, ContentBox, TestBox and all the other boxes keep getting the continuous development they need,
Their Contributions fund the cloud infrastructure at our community relies on like